SEAndroid: Does dump state get prop violate never allow rule

Question

When building AOSP S(12), I encounter a strange problem, but maybe only in sometimes / some machine. The error.log is as follows

neverallow check failed at out/target/product/msmnile_au/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:22861 from system/sepolicy/private/property.te:46
  (neverallow domain base_typeattr_745 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open watch watch_mount watch_sb watch_with_perm watch_reads)))
    <root>
    allow at out/target/product/msmnile_au/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:8901
      (allow dumpstate property_type (file (read getattr map open)))
    <root>
    allow at out/target/product/msmnile_au/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:11533
      (allow init property_type (file (read write create getattr setattr relabelto append map unlink rename open)))
    <root>
    allow at out/target/product/msmnile_au/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil:6370
      (allow dumpstate_31_0 property_type (file (read getattr map open)))
    <root>
    allow at out/target/product/msmnile_au/obj/ETC/plat_pub_versioned.cil_intermediates/plat_pub_versioned.cil:8170
      (allow init_31_0 property_type (file (read write create getattr setattr relabelto append map unlink rename open)))

Failed to generate binary
Failed to build policydb

Then I check the rules. system/sepolicy/private/property.te:46 says:

enforce_sysprop_owner(`
  neverallow domain {
    property_type
    -system_property_type
    -product_property_type
    -vendor_property_type
  }:file no_rw_file_perms;
')

and system/sepolicy/public/dumpstate.te:278 says:

# Read any system properties
get_prop(dumpstate, property_type)

My question is, does this violate the never allow rule and cause this error? If yes, why sometimes this error does not pop up. If not, what is the reason for my error?

Thanks in advance.

score 0 · Answer 1 · answered Feb 07 '22 at 05:46

0

I have added below code under device/xiaomi/juice/BroadConfig.mk

# Sepolicy
SELINUX_IGNORE_NEVERALLOWS := true

However this is not supported in user builds. Only supported in userdebug and eng builds.

answered Feb 07 '22 at 05:46

IamVISH

124
13

score -1 · Answer 2 · answered Jan 11 '22 at 07:18

-1

I got the reason. The reason is I have another file that uses property_type, if this file exists, the problem popup; otherwise, all things go well. Hope this is useful for you. BTW, the error message is far away from the real problem.

answered Jan 11 '22 at 07:18

Yang Le

19
3

I am also getting the same error. What is the another file that uses property_type? Can you please state the file name and its path? Also what is the action you took? Just removed the file? – IamVISH Feb 07 '22 at 04:46
The file that use property_type is a private file, not in AOSP. So it's no help even if I tell you the name and its path. The action you need take is depend on, if it's not necessary, you can removed it. Otherwise, try to use vendor_property_type instead of property_type. – Yang Le Feb 08 '22 at 15:20

SEAndroid: Does dump state get prop violate never allow rule

2 Answers2